PT-2026-56234 · 9Router · 9Router

Ductinn

+1

·

Published

2026-07-02

·

Updated

2026-07-07

·

CVE-2026-59800

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions 9Router versions prior to 0.4.44
Description An OS command injection issue exists due to improper access control. The endpoint "/api/tunnel/tailscale-install" does not require authentication because it is missing from the dashboard middleware matcher. A remote unauthenticated attacker can send a POST request containing a sudoPassword variable in the request body. This value is written to the stdin of a sudo -S sh child process. In environments where the process runs as root, NOPASSWD is configured, or a sudo timestamp cache exists, the sudoPassword value is interpreted and executed as a shell command by sh. This allows for remote code execution as the user running the 9Router process. Exploitation evidence was first observed by the Shadowserver Foundation on 2026-07-04 (UTC).
Recommendations Update 9Router to version 0.4.44 or later. As a temporary mitigation, restrict access to the "/api/tunnel/tailscale-install" endpoint to prevent unauthenticated remote access.

Exploit

Fix

Missing Authorization

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-59800
GHSA-G6G7-PVMX-M74P

Affected Products

9Router